$ < 73 \ Ml C PRQrt^ o 2 Lll (3 T OFFICE OF INSPECTOR GENERAL Catalyst for Improving the Environment Audit Report PeoplePlus Security Controls Need Improvement Report No. 2005-P-00019 July 28, 2005 ------- Report Contributors: Rudolph M. Brevard Corey Costango Warren Brooks William Coker Abbreviations EPA Environmental Protection Agency HR Human Resources IT Information Technology NACIC National Agency Check with Inquiries and Credit OARM Office of Administration and Resources Management OCFO Office of the Chief Financial Officer OFS Office of Financial Services OHR Office of Human Resources OIG Office of Inspector General PAR Personnel action request PPL PeoplePlus TOPOs Task Order Project Officers ------- < 33 \ ^t0SrX & V PRO^4-0 o 2 Lll o U.S. Environmental Protection Agency Office of Inspector General At a Glance 2005-P-00019 July 28, 2005 Why We Did This Review Our objectives were to determine whether: (1) the Environmental Protection Agency (EPA) adequately configured People Plus" application security and technical infrastructure to protect the confidentiality, integrity, and availability of system data; and (2) implemented controls were working as intended. Background People Plus is the EPA's new integrated human resources (HR), benefits, payroll, and time and labor system that is managed jointly by the Office of the Chief Financial Officer (OCFO) and the Office of Administration and Resources Management (OARM). Both HR and payroll data are processed to comply with Federal, State, and EPA reporting requirements. For further information, contact our Office of Congressional and Public Liaison at (202) 566-2391. To view the full report, click on the following link: www.epa.qov/oiq/reports/2005/ 20050728-2005-P-00019.pdf Catalyst for Improving the Environment PeoplePlus Security Controls Need Improvement What We Found Our review identified three significant issues in the security administration of PeoplePlus (PPL). First, the Agency had not followed prescribed procedures for managing user access privileges, monitoring changes in employee responsibilities, and processing system access requests. Second, EPA did not verify or conduct the required National Agency Check with Inquiries and Credit background screenings for 45 percent (10 of 22) of contractor personnel with PPL access. Third, EPA implemented PPL without adequately implementing security controls for two key processes. Specifically, OCFO had not properly secured default user IDs and did not adequately separate incompatible duties performed by the Security Administrator. What We Recommend We recommend the Directors of EPA's Office of Financial Services (OFS) and Office of Human Resources (OHR) take 13 actions to improve PPL security controls. These recommendations address areas where EPA could improve user access management and contractor background screening procedures. These recommendations include: (1) reinforcing the requirements to follow prescribed policies and procedures; (2) providing a training program to increase awareness and ability to perform security duties; (3) evaluating the need for system development contractors to have access to the production environment; and (4) establishing a milestone date to complete contractor background screening. We recommend that EPA evaluate all default user IDs to secure them, and assign Security Administrators" responsibilities in a manner that provides adequate separation of incompatible duties. EPA concurred with all of our recommendations and provided a plan of action to address concerns. ------- ^tos% 0x> ^ S UNITED STATES ENVIRONMENTAL PROTECTION AGENCY \ ^ ? WASHINGTON, D.C. 20460 *l PRO"*^ OFFICE OF INSPECTOR GENERAL July 28, 2005 MEMORANDUM SUBJECT: PeoplePlus Security Controls Need Improvement Report No. 2005-P-00019 FROM: Rudolph M. Brevard, Acting Director /s/ Business Systems Audits TO: Charles E. Johnson Chief Financial Officer Luis A. Luna Assistant Administrator for Administration and Resources Management This is our final report on the PeoplePlus security controls audit conducted by the Office of Inspector General (OIG) of the U.S. Environmental Protection Agency (EPA). This audit report contains findings that describe problems the OIG has identified and corrective actions the OIG recommends. This audit report represents the opinion of the OIG, and the findings in this audit report do not necessarily represent the final EPA position. EPA managers, in accordance with established EPA audit resolution procedures, will make final determinations on matters in this audit report. Action Required The Action Officials do not have to provide a response to this report. The Agency's response to the draft report contained an adequate corrective action plan with milestone dates to implement the plan. We have no objection to further release of this report to the public. For your convenience, this report will be available at http://www.epa.gov/oig. If you or your staff have any questions regarding this report, please contact me at (202) 566-0893. ------- Table of C At a Glance Chapters 1 Introduction 1 Purpose 1 Background 1 Scope and Methodology 2 Results in Brief 2 2 Further Steps Needed to Improve User Account Management 3 Managing Access Privileges 3 Monitoring Changes in System Access 4 Processing Access Requests 4 Online Security Policy Enforcement and System Access Definitions Are Ineffective 5 Recommendations 5 Agency Comments and OIG Evaluation 6 3 Improvements Needed in Contractor Background Screening Process 7 EPA Did Not Follow Contractor Background Screening Procedures 7 Recommendations 8 Agency Comments and OIG Evaluation 8 4 Improvements Needed for Default User IDs and Security Administrator Duties 9 Default User IDs Not Secured 9 Security Administrator Performs Incompatible Duties 10 Recommendations 10 Agency Comments and OIG Evaluation 11 Appendices A Agency Criteria 12 B Agency Response to Draft Report 13 C Distribution 22 ------- Chapter 1 Introduction Purpose Our objectives were to determine whether: (1) the Environmental Protection Agency (EPA) adequately configured PeoplePlus' application security and technical infrastructure to protect the confidentiality, integrity, and availability of system data; and (2) implemented controls were working as intended. Background PeoplePlus (PPL) is the EPA's new integrated human resources (HR), benefits, payroll, and time and labor system that is managed jointly by the Office of the Chief Financial Officer (OCFO) and Office of Administration and Resources Management (OARM). The system processes the data to comply with Federal, State, and EPA reporting requirements. As both the HR and payroll system, PPL contains confidential personnel information, such as names, addresses, Social Security numbers, and employee IDs. In this regard, EPA classified PPL's data sensitivity level as high for confidentiality, integrity, and availability because: • The Privacy Act requires protection of the personnel information in the system; • Miscalculation of payroll and entitlements could occur due to inaccurate or erroneously modified data; and • Unavailability of data would adversely affect the Agency's ability to make financial payments, address benefits issues, or meet internal reporting requirements. EPA established policies to guide its employees and contractors on controlling and securing access to the PPL system, as well as the network and other Agency information resources. OCFO developed procedures for online access to the system. OCFO also developed the PPL Security Plan, which details the managerial, operational, and technical controls for securing PPL. Likewise, EPA created a network security policy that establishes controls to ensure a secure network infrastructure. The Agency's Information Security Manual sets forth requirements for securing information resources in accordance with EPA and Federal policies. Appendix A contains a summary of key Agency policies. 1 ------- Scope and Methodology We conducted this audit from November 2004 to April 2005 at EPA Headquarters in Washington, DC. We interviewed Agency personnel and contractors responsible for processing HR and payroll transactions and securing the application. We reviewed Agency policies, procedures, reports, and forms used to grant users system access and enforce system security. We conducted system walkthroughs of user functionality and selected a judgmental sample of functional users within the Office of Financial Services (OFS) and the Office of Human Resources (OHR) to evaluate their system access. Functional users are EPA employees or contractors that have special access to PeoplePlus in order to process human resources, time keeping, or payroll transactions; or perform system security maintenance. This audit was conducted in accordance with Government Auditing Standards, issued by the Comptroller General of the United States. Results in Brief Program offices had not followed prescribed procedures to limit employees' system access, monitor changes in employees' system needs, process system access requests, or conduct background screenings on contractors. We identified the following additional weaknesses: (1) program offices did not develop procedures to carry out their assigned system responsibilities, and (2) personnel required additional training to perform their assigned duties. Without restricting user access to the minimal set of privileges necessary, users could circumvent the organizational security policy in order to expose the Agency to attacks or damage the information technology (IT) infrastructure. Furthermore, EPA implemented PPL without adequately implementing security controls for two key system maintenance processes. OCFO had not properly secured default user IDs shipped with the system. A user ID is a number or name, which is unique to a particular PeoplePlus user. Furthermore, OCFO had not separated incompatible duties performed by the Security Administrator. During system development, EPA did not conduct an analysis to: (1) determine which default accounts were necessary to operate the system, (2) develop a strategy to mitigate the risks associated with prepackaged default accounts, and (3) design controls to ensure one person could not authorize or approve system changes without detection. EPA places itself at greater risk because an employee could use the IDs or incompatible duties to bypass implemented controls without detection and undermine the integrity of the data processed through the system. We made 13 recommendations to improve PPL security controls. EPA concurred with all of our recommendations and provided a plan of action to address concerns. We included EPA's complete response as Appendix B. 2 ------- Chapter 2 Further Steps Needed to Improve User Account Management EPA did not effectively manage PPL user system access. Specifically, OCFO and OARM had not followed prescribed procedures for managing user access privileges, monitoring changes in employee system access needs, or granting users access consistent with requests. This occurred because Agency personnel did not conduct required tasks, such as: (1) verifying employee access requests to assigned responsibilities, (2) reviewing user access needs on a quarterly basis, (3) monitoring the changes in employee duties, and (4) maintaining documentation to support access to the system. This led to excessive - unnecessary or incompatible - system access, which could allow users to circumvent implemented security controls and increases the likelihood that errors or wrongful acts go undetected. Managing Access Privileges PPL functional users received more system access than necessary to perform their job responsibilities. Several employees had system access privileges that gave them the capability to perform unnecessary or incompatible functions. For example: • OCFO employees, whose access should have been limited to entering data, had the ability to approve data as well. Specifically, two OCFO employees within the Payroll Management section could calculate and confirm pay sheets in addition to the ability to review and approve these same payroll transactions. In addition, one of these employees had access that allowed that person to perform incompatible time-keeping and approving functions. With this access, the employee could record hours worked, and verify and approve data on employee time sheets. We also noted that approximately 44 other employees had access to these same incompatible time-keeping and approving functions. However, we did not verify to what extent these other employees were using this access. • OARM gave a user system access to critical HR functions, with the ability to input personnel action requests (PARs); although the employee only needed the ability to generate reports. • Several system development contractors have functional user roles (a specific set of rights and privileges) within the production environment. These roles provide the contractors with the ability to process general 3 ------- payroll transactions, update employee pay records, and review and approve individual payroll transactions. The contractors also have the ability to record and approve hours worked on employee time sheets, process PAR transactions, and manage employee records. Monitoring Changes in System Access EPA did not remove system access after users either transferred to other offices or were assigned different job responsibilities. These employees retained their previous system access privileges, although they did not need the access for their current duties. For instance: • OCFO had not requested the removal of full system access for a contractor recently assigned to other duties. Although the contractor needed elevated access during system validation, the office took no action to reduce the contractor's access once EPA placed PPL into production. • The OCFO Payroll Supervisor, with access to key payroll processing functions, transferred to the Office of Research and Development in November 2004. However, neither office took action to ensure the employee's system access was consistent with their duties; although Agency policy requires this analysis. In addition, OCFO had not updated system access privileges for the current Payroll Supervisor, who transferred from the Systems Planning and Integration Staff group. Processing Access Requests EPA had not correctly processed user access request forms for 79 percent (11 of 14) of the users in our sample. Although EPA granted functional users system access to key HR and payroll functions, we found Security Administrators did not maintain or process system access documentation in accordance with prescribed procedures. We selected a sample of 14 functional users to validate whether EPA processed access requests according to prescribed policies. As indicated in Table 1, EPA granted system access in accordance with prescribed policies 21 percent of the time. For the remainder of the users, EPA granted system access either without adequately prepared (unavailable or unsigned) documentation or inconsistent with the requests. Table 1 - Analysis of PeoplePlus System Access Forms * Access Granted: Number Percent S With Adequate Documentation 3 21 Without Adequate Documentation 7 50 * Inconsistent with Requests 4 29 : Total 14 100 4 ------- Online Security Policy Enforcement and System Access Definitions Are Ineffective EPA has not managed user accounts effectively because personnel did not follow existing security policies and system access user roles were not adequately developed. Although OCFO provided broad overarching guidance for securing the PPL system, program offices carry out these responsibilities inconsistently. As a result, personnel did not conduct required tasks such as: (1) verifying employee access requests to assigned responsibilities; (2) reviewing user access needs quarterly; (3) monitoring the changes in employee duties; and (4) maintaining documentation to support access to the system. EPA's analysis of user access requirements to develop system access roles was inadequate. In many cases, we found EPA developed system access roles based on the employee duties in the separate HR and Payroll systems as opposed to the access needed for the new combined system. In addition, EPA developed generic system access roles to perform a series of related tasks and then gave employees this access regardless of whether they performed those duties. Inconsistent compliance with security guidance and inadequate user role development led to excessive user access privileges. Although EPA implemented procedures to monitor payroll processing, an employee with excessive privileges could inappropriately change payments to individuals if the review procedures are not followed or enforced. In addition, excessive access provides employees with unnecessary opportunities to circumvent system security and sets the stage for situations where errors or wrongful acts could go undetected. Recommendations We recommend the Director of the Office of Financial Services: 2-1 Conduct and document an analysis of functional user system access requirements to create appropriate roles that restrict employee access to necessary functionality. 2-2 Assign all current system users to the appropriate roles. We recommend the Directors of the Office of Human Resources and the Office of Financial Services: 2-3 Develop and publish a joint policy memorandum to all staff reinforcing established policies and procedures outlined in the PPL Security Plan and Online Access Guide. 5 ------- 2-4 Develop and implement a strategy to increase managers' awareness of security responsibilities assigned to their employees. 2-5 Provide in-depth training for the assigned PPL Access Coordinators and Security Administrators. Establish milestone dates when all PPL Access Coordinators and Security Administrators will complete the training. 2-6 Establish milestone dates when offices will implement the required quarterly reviews of user system access. 2-7 Conduct and document an evaluation of system access needs for system development contractors with access to the production environment. Establish, document, and implement controls to limit and monitor contractor access. Agency Comments and OIG Evaluation The Directors of both OFS and OHR concurred with our seven recommendations to improve PPL user account management. The Agency has completed some analysis of functional user roles and completion dates for corrective actions to address our remaining recommendations. The corrective actions planned are appropriate and will adequately address the recommendations. 6 ------- Chapter 3 Improvements Needed in Contractor Background Screening Process EPA did not ensure that contractors obtained an appropriate background check before granting them access to PPL. Our review indicated that offices granted contractors access to the system without verifying whether contractor personnel had the required National Agency Check with Inquiries and Credit (NACIC). These weaknesses occurred because the Agency did not follow the procedures outlined in the online access policy. These weaknesses in basic controls have the potential to undermine an essential part of the system's security. EPA Did Not Follow Contractor Background Screening Procedures EPA did not ensure contractors obtained the required background check before granting them access to PPL. We reviewed the background check status for all OCFO and OARM contractors with system access. We found that for 10 of 22 contractors (45 percent), the program offices authorized access to the system without verifying the contractor had completed the Agency-required NACIC background check. These weaknesses occurred because neither program office followed the procedures outlined in the online access policy. Specifically, we found that the Task Order Project Officers (TOPOs), responsible for authorizing and requesting system access, needed additional training on EPA-prescribed contractor background screening procedures. In addition, OARM did not establish procedures to follow up on requested background screening checks for contractors given temporary system access. Because intentional and unintentional employee actions are the primary cause of disruptions of information system integrity and operation, security controls should provide reasonable assurance that systems are safeguarded. Although not infallible, background checks serve as a basic control to determine whether contractors are suitable to have access to sensitive Agency information. These checks are an integral part of an overall system of controls to protect the confidentiality, integrity, and availability of information systems. Furthermore, while authorizing temporary system access is sometimes necessary, offices should use it sparingly and monitor it to maintain internal controls. By not implementing processes to follow up and promptly remove the access when no longer required, management places EPA in greater risk that unscrupulous individuals could undermine the integrity of the system. 7 ------- Recommendations We recommend that the Directors of the Office of the Human Resources and the Office of Financial Services: 3-1 Develop, implement, and document a formal training program for the personnel responsible for requesting and approving contractor personnel access to PPL. Ensure that all TOPOs receive the training. 3-2 Develop, implement, and document specific procedures for processing contractor personnel background screening requests. 3-3 Develop and implement a monitoring process for contractors granted temporary access to PPL. 3-4 Establish a milestone date to complete NACIC security screenings for all contractor personnel with system access. Agency Comments and OIG Evaluation The Directors of both OFS and OHR concurred with our four recommendations to improve the contractor background screening process. The Agency has completed all NACIC security screenings for the contractor personnel we identified in the report as not having a verified background check. The Agency established target dates for addressing our remaining recommendations. The corrective actions planned are appropriate and will adequately address the recommendations. 8 ------- Chapter 4 Improvements Needed for Default User IDs and Security Administrator Duties EPA implemented PPL without adequately developing security controls for default user IDs and adequately separating incompatible duties performed by the Security Administrator. By not controlling special access accounts and adequately separating duties, a person could bypass implemented controls without detection and undermine the integrity of the data. Default User IDs Not Secured EPA has not secured default user IDs, which allow users to by-pass security controls. Default user IDs are of two types: "Super User IDs" and "User IDs." Super User IDs have unrestricted access to the system. User IDs provide unlimited access for specific application modules, such as HR or Payroll. Our review disclosed that 7 of 9 (78 percent) IDs listed in a Security Administrator account were default user IDs. Although the Security Administrator changed the account passwords and locked some accounts, we found three of the default user IDs were still active. Like many enterprise resource planning applications, PPL comes with multiple default user IDs with passwords set to commonly known factory settings. The manufacturer delivered the PPL software to EPA with default user IDs and passwords. According to industry security best practices, the Agency should have appropriately secured the default user IDs and passwords, by: (1) locking, (2) removing, or (3) changing them as part of the system implementation process. Immediate and proper identification and maintenance of these IDs, especially Super User IDs, are vital to the security of the application. With knowledge of the system's configuration and access to EPA's network, a person could use a default user ID to exploit PPL. Although EPA developed a system security plan and provided broad overarching security guidance, we found that key security documents were either not prepared or unavailable for review. Specifically, EPA had not prepared an analysis of the design and assignment of permissions and roles within the system. In this regard, EPA had not documented which default IDs were necessary for the system to process HR and payroll transactions or the remediation actions necessary to secure those accounts not needed. 9 ------- Security Administrator Performs Incompatible Duties Our analysis determined that one Security Administrator had system access and responsibilities for three incompatible, critical security functions. These functions should be separate to ensure that no one person has complete control over the implementation of program changes without detection. A Security Administrator responsible for implementing user roles could inadvertently or deliberately obtain access to PPL functions that are not in accordance with management policies. Specifically, this particular Security Administrator was responsible for: • Creation and maintenance of roles and permission lists; • Migration of roles and permission lists into the production stage; and • Creation and maintenance of user profiles. The performance of incompatible duties is a common security concern, but is further heightened when an employee with control over the system performs the duties. The Security Administrators are one of the pillars of an effectively implemented system of controls. Because of this, EPA places itself at greater risk when a Security Administrator performs incompatible duties that are vital to the underlying security of the application. In addition, the potential exists that system changes could occur and go undetected which could undermine the controls management must rely upon for the integrity of the information processed by the system. As previously stated, EPA had not adequately described the design and assignment of permission lists and roles within the system. Furthermore, EPA had not: (1) analyzed Security Administrator responsibilities to ensure one employee was not performing incompatible duties, (2) assigned duties between the two Security Administrators, and (3) provided sufficient training to security personnel to perform these duties. Recommendations We recommend that the Director of the Office of Financial Services: 4-1 Conduct and document an analysis of default user IDs to determine the necessity for each default account and deactivate default user IDs as appropriate. 4-2 Conduct and document an analysis of Security Administrator responsibilities and assign duties in a manner that provides adequate separation of duties. 10 ------- Agency Comments and OIG Evaluation The Director of OFS concurred with our two recommendations to review the status of default user IDs and to analyze Security Administrator responsibilities for adequate separation of duties. The Agency has completed an analysis of default user IDs and has planned a completion date for conducting and documenting a thorough analysis of Security Administrator responsibilities. The corrective action planned is appropriate and will adequately address the remaining recommendation. 11 ------- Appendix A Agency Criteria Office of Financial Management, Policy Announcement No. 04-01, Policies and Procedures for Online Access to EPA's Integrated Human Resources, Benefits, Payroll, Time and Labor Management System-PeoplePlus, provides procedures for online access to the system. In addition, the Policy provides procedures for requesting and changing user IDs, passwords, and access; security training for PPL access coordinators and users; and responsibilities of individuals with system access. Specifically, Security Administrators are responsible for verifying that requested access is limited to the performance of a user's assigned responsibilities, monitoring adherence to the policies and procedures contained in this Policy, and conducting an annual review of system online security functions. The Agency should monitor any changes to authorized users' employment status or changes in the duties affecting their access, conduct quarterly reviews of user access needs to ensure only those authorized functions that are required to perform their current duties are retained in their security profiles, and retaining copies of the user access request forms. The Policy also identifies maintaining and ensuring adequate segregation of duties as a vital procedure for controlling access to the system. Additionally, program offices are required to ensure contractor personnel have, at a minimum, a NACIC background screening before granting access to PPL. Office of Chief Financial Officer/Office of Administration Resources Management, PeoplePlus (PPL) Security Plan, details the managerial, operational, and technical controls for securing the PPL system. This document describes personnel security requirements as well as the requirements for segregation of duties and minimal privileges. The Security Administrators are responsible for reviewing the requests to provide reasonable assurance that unnecessary privileges are not granted. In addition, the Security Administrators are responsible for reviewing access lists quarterly to verify that users continue to need access. User access must be restricted to the minimum necessary to perform the job. At a minimum, any contractor support must pass the NACIC background check before gaining access to PPL. EPA Order No. 2195.1 A4, Network Security Policy, establishes basic controls to ensure a secure network infrastructure. It specifies that: (1) access authorizations and controls must follow the principles of "need-to-know," "need-to-perform," and "least privilege" in relation to functional requirements; (2) access authorizations must be documented; and (3) authorizations and associated authentication methods must be periodically reviewed, tested, and verified. In addition, the Policy specifies that network procedures, standards, and operating practices for implementation of this policy are consistent with National Institute for Standards and Technology requirements, and documented industry standards and best practices. EPA's Information Security Manual sets forth requirements and guidance for securing Agency information resources in accordance with EPA and Federal security policies and mandates. Specifically, the policy lists requirements for personnel screening, logical access controls, and establishing proper segregation of duties. 12 ------- Appendix B Agency Response to Draft Report July 20, 2005 MEMORANDUM SUBJECT: PeoplePlus Security Controls Audit Report FROM: Milton Brown, Director /s/ Office of Financial Services (2734R) Rafael DeLeon, Director /s/ Office of Human Resources (361 OA) TO: Rudolph M. Brevard, Acting Director Business Systems Audits Office of Inspector General (242IT) We thank you for the opportunity to review and provide comments on the PeoplePlus (PPL) Security Controls Draft Audit Report (Assignment No. 2005-00342). The Office of Financial Services (OFS) and the Office of Human Resources (OHR) support the specific audit objectives: "to determine whether: (1) the Environmental Protection Agency (EPA) adequately configured People Plus application security and technical infrastructure to protect the confidentiality, integrity, and availability of system data; and (2) implemented controls were working as intended." Based on already planned actions and the audit findings, we will continue to improve security policies, training, and general oversight of PPL security. In addition, OFS will work with users and payroll staff to address concerns and implement improved compliance of the system. The report identifies issues with controls that it claims are commonly bypassed and lacking in management oversight. The report implies that problems are commonplace and places the Agency at substantial risk. We believe this is subject to interpretation and is overstated. Management in the Office of the Chief Financial Officer (OCFO) and the Office of Administration and Resources Management (OARM) take the integrity and privacy of employees' personnel and payroll data very seriously, and our staffs understand the importance of maintaining data integrity. The report also states that actions that might be allowed by users with excessive privileges could create system compromises "without detection". As was provided in earlier draft responses, all payroll actions are audited, and if a supervisor or security administrator 13 ------- caused inappropriate or adverse actions to occur, full audit records are available to the Agency payroll audit team. In no case does any action go undetected. In addition, the report implies that security role development and role/default account management were haphazard and lacking in attention to detail. The report does not reflect the amount of attention placed on security controls. While these areas need to be reviewed and updated now that the system is in full production, OFS spent considerable time and attention establishing and working on these areas prior to implementation. Attached is our response to your recommendations presented to us in the draft audit report. We again appreciate the opportunity to work through the issues and we appreciate your consideration of our comments on the audit. If you have any questions or require additional information or clarification concerning our response, please contact Sheila Bullock, Office of Financial Services on (202) 564-5202 and Brenda Daly, Office of Human Resources on (202) 564-6290. Attachment cc: Raffael Stein 2734R Janice Kern 2734R Jayna Alexander 2734R Carline Ransom 2734R Sheila Bullock 2734R Corey Costango 242IT Warren Brooks 242IT William Coker 242IT Mike Hamlin 3631M Jeuli Bartenstein 3631M Brenda Daly 3631M Dennis Nolan 2733R Richard Bennett 2733R Joseph L. Dillon 2731A Krista Mainess 2710A Larry Burnham 271 OA 14 ------- Attachment Responses to Recommendations No. Recommendation Concur /Non- concur Responsible Office Planned Completion Date Comments We recommend the Direci tor of the Office of Financial Services: 2-1 Conduct and document an analysis of functional user system access requirements to create appropriate roles that restrict employee access to necessary functionality. Concur OFS 06/30/2005 07/31/2005 08/31/2005 08/31/2005 We have performed an analysis of functional user system access requirements to create appropriate roles associated with job functionality. Payroll roles were completed as of 6/30/05. The Help Desk roles will be completed by 7/31/05 and Time & Labor roles will be completed by 8/31/05. All roles will be documented by 08/31/05. 2-2 Assign all current system users to the appropriate roles. Concur OFS 08/31/2005 All current system users will be assigned to appropriate roles. In addition, those anomalies identified in the IG Report has been corrected. We will continue to monitor security access to ensure that these inconsistencies do not occur again. We recommend the Directors of the Office of the Human Resources and the Office of Financial Services: 2-3 Develop and publish a joint policy memorandum to all staff reinforcing Concur OFS/OHR 08/31/2005 OFS and OHR will work together to develop and publish a joint policy memorandum to re- emphasize to staff the 15 ------- established policies and procedures outlined in the PPL Security Plan and Online Access Guide. importance of the guidance provided in the PPL Security Plan and Policy Announcement 04-01 (Policies and Procedures for On-Line Access to EPA's Integrated Human Resources, Benefits, Payroll, Time and Labor Management System- PeoplePlus). 2-4 Develop and implement a strategy to increase managers' awareness of security responsibilities assigned to their employees. Concur OFS/OHR 08/31/2005 OFS and OHR are working together to develop and implement a strategy to increase managers' awareness of the PPL security responsibilities assigned to their employees. Implementation of this strategy is scheduled to begin on 07/29/05. We will include this in the PPL manager training planned for August. 2-5 Provide in-depth training for the assigned PPL Access Coordinators and Security Administrators. Establish milestone dates when all PPL Access Coordinators and Security Administrators will complete the training. Concur OFS/OHR 08/31/2005 Completed Completed Completed Completed Completed Completed We are in the process of providing in-depth training for the PPL Access Coordinators. The Security Administrators will also be provided training as appropriate. Please note the completed training for the OFS and OHR Security Administrators. OFS Security Administrator - PeopleSoft Security Training version 8.12 September 10-12, 2002 - PeopleSoft Security Training July 12-14, 2005 OHR Security 16 ------- Administrator - PeopleSoft Security Training version 8.12 April 27, 2002 - PeopleSoft Security Training version 8.4 March 2, 2004 - Attended IT Security and Operations conference May 17-21, 2004 - Attended IT Security and Operations conference (ISO) April 11-14, 2005 2-6 Establish milestone dates when offices will implement the required quarterly reviews of user system access. Concur OFS/OHR 08/31/2005 The required quarterly reviews will be conducted for contractors and functional users. In addition, quarterly reminders of the policy and procedures for maintaining PPL access will be provided to the PPL Access Coordinators. The milestone dates for quarterly reviews and reminders are: September 20, 2005 June 30, 2006 December 31, 2005 September 20, 2006 March 31, 2006 December 31, 2006 2-7 Conduct and document an evaluation of system access needs for system development contractors with access to the production Concur OFS/OHR 07/31/2005 07/31/2005 OFS and OHR will conduct and document an evaluation of system access needs for system contractors. We will also establish, document, and implement controls to ensure 17 ------- environment. Establish, document, and implement controls to ensure contractor access is limited and monitored. contractor access is limited and based on current responsibilities. Please note that controls exist today to monitor and track contractor access through the audit log. (Currently this function is performed biweekly.) This will formalize our procedures. 3-1 Develop, implement, and document a formal training program for the personnel responsible for requesting and approving contractor personnel access to PPL. Ensure that all Task Order Project Officers (TOPO) receive the training. Concur OFS/OHR 08/31/2005 OF Sand OHR will develop, implement, and document a formal training plan for the personnel responsible for requesting and approving contractor personnel access to PPL. In addition, we will ensure that the TOPOs receive training. 3-2 Develop, implement, and document specific procedures for processing contractor personnel background screening requests. Concur OFS/OHR On-Going OF Sand OHR will document and continue to implement specific Agency procedures such as the SF- 85 process, and the OF-306 process, as well as the funding procedures necessary to complete these tasks. 3-3 Develop and implement a monitoring process for contractors granted temporary access to PPL. Concur OHR 10/2005 It is OHR's responsibility to implement the Homeland Security Presidential Directive (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors. The Policy requires that EPA's non- 18 ------- Federal workers undergo Federally-sponsored background checks before being issued smart cards that will permit access to our facilities and information systems. EPA's implementation plan has been submitted to the Office of Management and Budget (OMB), with implementation expected in October. We believe that our efforts will result in a comprehensive Agency program for non-Federal worker background checks consistent with HSPD-12. Also, we will implement a monitoring process which will perform periodic checks on the status of the NACIC s for all contractors that have been granted temporary access to PeoplePlus. 3-4 Establish a milestone date to complete documented NACIC security screenings for all contractor personnel with system access. Concur OHR Completed As of 06/30/2005, OFS and OHR completed all NACIC security screenings for all contractor personnel with system access (See Chapter 3 of Audit Report). We feel that the need for key milestones are no longer relevant due to the fact that we are following the EPA Information Security Manual 2195A1, 1999 Edition, page 68, which states: "The NACIC screening must occur prior to providing contractor personnel with access to 19 ------- EPA systems. Contractor personnel must submit required background investigation documentation within ten (10) days after initiation of contract. To avoid unnecessary delays, new contractor personnel may begin work while the OPM screening is in progress, provided contractor personnel have already completed pre-screening requirements by their employer." We will develop a process to monitor the status of the NACIC. We recommend that the I >irector of the Office of Financial Services: 4-1 Conduct and document an analysis of default user IDs to determine the necessity for each default account and deactivate default user IDs as appropriate. Concur OFS Completed On 06/23/05, we conducted and documented an analysis of default user IDs to determine the necessity for each default account (See Chapter 4 of Audit Report). Based on the analysis it was determined that three IDs were not locked and of the three, we locked two and the passwords were changed. The third user ID could not be locked because it is used to create User Accounts. However, the access was restricted to the Security Administrator in a different name. In addition, the Default User IDs passwords will be changed quarterly - every 90 days. 4-2 Conduct and document an analysis of Security Concur OFS/OHR 07/31/2005 OFS will conduct and document a thorough analysis of Security 20 ------- Administrator responsibilities and assign duties in a manner that provides adequate separation of duties. Administrator responsibilities and assign duties in a manner that provides adequate separation of duties. Please note that the Security Administrator is a special and complex case. Any user with super user privilege presents separation of duties and trust issues in any production system environment with sensitive or financial data. 21 ------- Appendix C Distribution Office of the Administrator Director, Office of Financial Services Director, Office of Human Resources Audit Coordinator, Office of the Chief Financial Officer Audit Coordinator, Office of Administration and Resources Management Director, Technical Information Security Staff Agency Followup Official (the CFO) Agency Followup Coordinator General Counsel Associate Administrator for Congressional and Intergovernmental Relations Associate Administrator for Public Affairs Inspector General 22 ------- |